UK's NCSC warns of AI-driven "patch wave."

Summary

By the N2K CyberWire staff

UK's NCSC warns of AI-driven "patch wave."

The UK's National Cyber Security Centre (NCSC) is urging organizations to prepare for a surge of patches driven by AI-assisted vulnerability discovery, Infosecurity Magazine reports. The NCSC's Chief Technology Officer, Ollie Whitehouse, explained in a blog post, "Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem. As a result, the NCSC expects there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary, and software as a service."

The NCSC advises organizations to reduce their external attack surfaces, prioritize technologies on the perimeter, and replace end-of-life products that no longer receive patches. The Centre also outlines the following guidance to streamline patching:

"Where automatic secure ‘hot patching’ is available (that is, patching that doesn’t involve service disruption), this should be enabled as a priority
"Where automatic updates are available (including for embedded devices), this should be enabled to reduce the workload on support teams
"Where neither of the above are available, organisations will need to ensure that processes and risk appetites support frequent and scaled-updating, noting the operational trade-offs around disruption and safety-critical systems. A risk-prioritised approach, such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system, can be used to prioritise installing the updates."

The browser is the new endpoint. Are you securing it?

Today’s work happens in the browser - but that’s also where new risks live. From shadow IT to session-based threats, critical activity often goes unseen.

NordLayer Browser gives IT teams visibility and control inside the browser itself—helping protect company data and enforce security across SaaS apps without disrupting workflows.

If your security stack stops short of the browser, it may be time to take a closer look.

Google fixes critical Android vulnerability.

Google yesterday issued a fix for a critical Android flaw (CVE-2026-0073) that can allow remote code execution without user interaction, Forbes reports. The vulnerability affects Android's System component. According to the vulnerability's description, "In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code."

Users should ensure their devices have updated to the 2026-05-01 security patch level or later.

Join SASEfy 2026: The Summit for SASE and AI on May 20

AI adoption across tools, applications, and agents is outpacing governance. Teams must understand where AI introduces risk, how data is exposed, and how agentic behavior impacts control. Join Cato, Microsoft, Forrester, and Dayforce at SASEfy 2026, the summit for SASE and AI, on May 20 at 12p ET to identify risk, secure AI, and adapt Zero Trust for agentic AI.

Trellix discloses source code breach.

Cybersecurity giant Trellix has disclosed a breach of a portion of its source code repository, SecurityWeek reports. Trellix stated, "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited." The company has notified law enforcement and says it will share more details once the investigation is complete.

While Trellix hasn't shared details about the intrusion, SecurityWeek notes that several other cybersecurity firms, including Checkmarx, Aqua Security, and Bitwarden, were recently breached via software supply chain attacks.

Track global cyber threats with the Microsoft Threat Intelligence podcast

Step into the frontlines of cyber defense with the Microsoft Threat Intelligence podcast. Hear from intelligence experts as they share how they track APTs, gangs, malware, and emerging vulnerabilities. Each episode delivers key insights into espionage, attacker tradecraft, and the skills needed for modern threat hunting. Listen in and stay one step ahead.

Notes.

Today's issue includes events affecting , and the United States.

Selected Reading

Attacks, Threats, and Vulnerabilities

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs (BleepingComputer) A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.

Everest Group Begins Leaking Alleged Liberty Mutual Data (GovInfoSecurity) Cybercrime Gang Claims to Have 108-Gbyte Trove of Insurer's Files, Folders

Litigation, Investigation, and Law Enforcement

Romanian National Appears in Federal Court Following Extradition from Romania on Bank Fraud Charges Stemming From “Vishing” Scheme (US Justice Department) A Romanian national appeared in court today to face bank fraud charges for his role in a “vishing” scheme, following his extradition from Romania, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

CyberArk IMPACT 2026 (Austin, Texas, USA, May 11 - 13, 2026) At CyberArk IMPACT, cybersecurity practitioners and leaders will come together to explore today’s #1 attack vector – identity. Attendees will acquire a deep understanding of the latest developments in identity-based cyberattacks, including sophisticated attacker techniques that leverage AI and other methods. And most importantly, they will learn how to shut out attackers and prevent unauthorized access by securing every identity across the organization with the right level of privilege controls.

VeeamON 2026: Data & AI Trust Converge for the Agentic Era (Virtual and New York, New York, USA, May 12, 2026) VeeamON Online broadcasts the NYC keynote and select breakout content live and on demand. You’ll hear directly from the teams building the platforms, the customers operating at scale, and the leaders navigating real-world AI risk.

KB4-CON 2026 (Orlando, Florida, USA, May 12 - 14, 2026) Since its inception in 2018, KB4-CON has evolved from a user-focused gathering to the must-attend event for anyone serious about staying ahead in the security landscape. It is the human risk management industry’s premier event, bringing together KnowBe4 customers, channel partners, prospects, plus security advocates and industry professionals. This is your exclusive opportunity to engage with and learn from the industry’s most influential players, all under one roof.

ASCEND 2026 (Washington, DC, USA, May 19 - 21, 2026) ASCEND connects the civil, commercial, and national security space sectors, along with adjacent industries, to embrace the opportunities and address the challenges that come with increased activity in space. Building our sustainable off-world future requires long-term thinking. Strategic planning, innovation, scientific exploration, and effective regulations and standards will help us preserve space for future generations. ASCEND will enable the technical exchanges, debates, and collaboration that will help forge a sustainable off-world future for all.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 05.05.26

Top stories.

UK's NCSC warns of AI-driven "patch wave."

Google fixes critical Android vulnerability.

Trellix discloses source code breach.

Notes.

Attacks, Threats, and Vulnerabilities

Litigation, Investigation, and Law Enforcement

Events